General Privacy Statement

Last updated: 06.11.24

What information is processed and what is it used for?
In order to fulfill our obligations as an employer and educational institution, we collect and process various types of personal data. Personal data about employees is obtained from the application process and tax authorities. For students, the information is obtained from admission systems such as Studentweb and the Common Student System (FS).

Employees:
We process personal data in order to administer employment, salary, absence, leave, and other personnel administration. Examples of personal data processed: Name, national identity number, contact information, job title, salary information, seniority
and information about next of kin

Students:
For students, personal data is processed to administer admissions, studies, exams, exchanges, diplomas and transcripts, as well as to offer services such as guidance, health and welfare services. We also process student data in order to fulfill our reporting obligations to public authorities, and to improve and develop the quality of the education we offer. Examples of personal data processed: Name, national identity number, contact information, study program, grades and leave.

Legal basis for processing We process personal data in accordance with GDPR Article 6 No. 1 letter a, b, c or f, as well as the University and College Act and the Working Environment Act. In some cases, we also obtain consent for specific processing of sensitive information in accordance with GDPR Article 9 No. 2a).

Research data
See the college's guidelines for the processing of personal data in research projects, Privacy in research.

Disclosure of personal data
NLA may disclose personal data to relevant actors, such as NAV, the Tax Administration, the Norwegian State Educational Loan Fund, and research bodies where it is legally required. Personal data may also be disclosed to suppliers who process data on our behalf.

Deletion of personal data
We store personal data for as long as necessary to fulfill the purposes for which it was collected.

Security
Personal data is processed in secure IT systems, and only persons with a service need have access to these systems. Processing is logged to ensure confidentiality and integrity. Storage time can normally be 3 months – 1 year. Sensitive information is protected with necessary security measures.

In accordance with GDPR Article 32, the college is obliged to implement sufficient technical and organizational measures to achieve an appropriate level of security when processing personal data.

Reservation
Employees and students can reserve themselves against the use of images and contact information on public websites and in internal systems such as Studentweb and Teams. For students, this can be done via Studentweb.

Security breach
We are aware of today's threat landscape, including threats such as phishing, ransomware and other forms of cyber attacks. In the event of a security breach, we will inform you as soon as possible, in accordance with applicable law. All employees and students are encouraged to follow good routines for online security and be on guard against online fraud. Strong passwords and two-factor authentication should be used.

Third-party collaboration
We collaborate with external organizations, such as education and research partners, student welfare organizations and technology suppliers. We provide information about how personal data is shared with these third parties, and how they are obliged to protect data. Data processor agreements provide guidelines for the processing of personal data.

The student welfare organizations in Norway gain access to personal data about students who are registered in the student register at NLA University College, students who have paid the semester fee or have been granted the right to study at the college.

The student welfare organizations are given the date of birth and personal number/D number, first name, last name, educational institution code, last paid semester fee, any exempted semester fee, email and mobile number. The access also applies to subcontractors with whom the student welfare organizations have a data processor agreement.

This is necessary for the student welfare organizations to be able to deliver their services to the students.

The legal basis for the disclosure is the Personal Data Ordinance (GDPR) Article 6. no. 1 c (legal obligations) and the Act on Student Welfare Organizations (Student Welfare Organization Act) §§ 4 and 5. Read more about SiOs processing of personal data in SiO's privacy statement point 4.